NCUA Doesn’t Need Power Over Vendors: NAFCU, CUNA

Major credit union trade groups still aren’t buying NCUA Chairman J. Mark McWatters’s plea that Congress give the agency enforcement authority over third-party vendors that credit unions use.

“NCUA has effectively managed this risk within their current regulatory authority,” CUNA President/CEO Jim Nussle said in a letter to the Senate Banking Committee. “Credit Unions are required to perform due diligence on their third-party vendor relationships, and this due diligence is already subject to supervision by the NCUA.”

But a source in the credit union community said Congress may be receptive to the agency’s argument, particularly in the context of cybersecurity.

“Congress is going to agree with the agency on this,” the source predicted. “The ground is fertile for the agency to do this next year. The industry is going to hate it and we’re going to fight it.”

The Banking Committee on Tuesday held a hearing on implementation of the regulatory overhaul legislation passed by Congress. As part of his testimony, McWatters asked Congress to give the agency enforcement powers over third-party vendors.

He pointed out that the NCUA is only banking regulator that does not have that power.

“Fintech is revolutionizing financial services, but it also is requiring traditional financial service providers to adapt and embrace new methods, technological innovation, and new technology partners in order to remain competitive in the marketplace,” McWatters told the Banking Committee in written testimony.

McWatters said that the NCUA does not have the oversight power needed to help credit unions deal with the cybersecurity risks posed by fintech companies.

He said that CUSOs are required to give the NCUA access to their books, but they are free to reject the agency’s recommendations.

“Without vendor authority, the NCUA cannot accurately assess the actual risks present in the credit union system and determine if current CUSO or third-party vendor risk-mitigation strategies are adequate to protect the system from a systemic risk,” he said.

He sought to minimize the budgetary impact, saying that credit unions no longer would have the total responsibility to police vendors.

“In other words, credit unions will no longer be stuck in the middle of trying to resolve problems between their vendors and their regulator and insurer,” he said.

NAFCU officials disagreed.

“While NAFCU supports strong cybersecurity protections, granting the NCUA third-party vendor examination authority is unnecessary, costly and would not necessarily result in better supervision of credit unions,” Carrie Hunt, NAFCU’s executive vice president of government affairs and general counsel, said.

NASCUS supports granting the NCUA enforcement powers under certain circumstances, said President/CEO Lucy Ito.

“We continue to support NCUA obtaining examination authority over technology service providers that provide services to federally insured credit unions,” he said. “However, in states with existing vendor examination mechanisms in place, deference should be given to the state authority to supervise these vendors.”

The new power would be a costly and unnecessary expansion of the agency’s powers, said Jack Antonini, president/CEO of NACUSO.

“Today NCUA has full access to vendor reviews completed by the other banking regulators through their membership and participation in the [Federal Financial Institution Examination Council], and they have oversight of CUSOs through their credit union owners,” he said.

He added that CUSOs have been complying with the NCUA’s requests to perform reviews for the past several years.